Researchers at the Dutch security firm Securify have done a detailed analysis of an Android banking Trojan called Marcher and was discovered that a single botnet managed to steal a large number of payment cards.
The Marcher has been around since 2013, but it has initially attempted to trick users into handling over their payment card details using phishing pages like Google Play. Back in March 2014, this malware started targeting many banks in Germany and, by summer of 2016, there are more than 60 targeted organisations in the U.S., Australia, U.K., Poland, Turkey, France, Spain and other countries.
The malware has been disguised as many popular apps, like WhatsApp, Netflix and
Super Mario Run.
Securify also identified nine Marcher botnets in the last 6 months, and all of them are provided with some new modules and targeted web injects by Trojan’s creators.
One of these botnets, which mainly targets the customers of banks in Germany, Austria and France, has infected more than 11,000 devices, including 5.700 in Germany and 2,200 in France. The attackers’ C&C server stored 1,300 payment card numbers and other banking information.
Based on the analysis of the command and control (C&C) server used by the cybercriminals, researchers determined that a majority of the infected devices had been running Android 6.0.1, but the list of victims also included more than 100 Android 7.0 devices.
“Marcher is one of the Android banking Trojans which use the AndroidProcesses library, and enables the application to obtain the names of the Android packages which is currently running in foreground. That library is generally used because it uses the only publicly known way to retrieve the information on Android 6 using the process OOM score read from the /proc directory,” explained the researchers at Securify.